Your message dated Wed, 29 Dec 2021 17:33:29 +0000 with message-id <E1n2cpN-000IRn-U6@fasolo.debian.org> and subject line Bug#1002014: fixed in debian-edu-config 2.12.15 has caused the Debian Bug report #1002014, regarding debian-edu-config: Kerberos host principals change far too often to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1002014: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1002014 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: debian-edu-config: Kerberos host principals change far too often
- From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
- Date: Mon, 20 Dec 2021 14:08:16 +0000
- Message-id: <[🔎] 20211220140816.Horde.sN7ETcLUwDNU0Pa9FjDmNDa@mail.das-netzwerkteam.de>
Package: debian-edu-config Version: 2.12.14 Severity: importantCurrently, with every edit operation on a GOsa² system, the Host (and nfs) Principal(s) of that host get updated (changed). This is especially problematic if you use krb5i based NFS acrosse a school site from various workstations.The problem is that whever some admin edits a host in GOsa², this host will loose NFS connectivity to /srv/nfs/home0 until the /etc/krb5.keytab has been updated on that client host. This is hardly maintainable.The underlying reason is in the gosa-modify-host hook script. The scripts runs add_principal for host/<client> and nfs/<client> after every save operation on a GOsa² system. We need to check here, if those Kerberos principals already exist and only if not, then add those principals.This has been discussed with Wolfgang Schweer on IRC...22:03 < sunweaver> as mentioned yesterday, I played with krb5i and diskless workstation quite a bit yesterday. 22:03 < sunweaver> I basically managed to get a Debian Edu 10 and 11 DLW (diskless workstation) running against a Debian Edu 11 TJENER.22:03 < sunweaver> However...22:04 < sunweaver> Whenever I edit either the client or the TJENER in GOsa, the principal gets updated in krb5-ldap and my krb5.keytab becomes invalid.22:05 < schweer> hm, then the keytab needs to be updated, too.22:05 < sunweaver> This is happening in gosa-modify-host which simply runs an add_principal for that host.22:05 < schweer> yes.22:05 < sunweaver> I was wondering, if this gosa-modify-host way-of-doing-things is intentional.22:05 < schweer> yes, intentional, but obviously suboptimal22:05 < sunweaver> because, I'd rather check if the host (and nfs) principals exist in krb5-ldap and only create them if they don't exist.22:06 < schweer> good idea22:06 < sunweaver> because then, the principals won't change that often as they do now.22:06 < sunweaver> and krb5.keytab files stay valid 22:06 < sunweaver> I'll propose a patch, then. 22:07 < schweer> feel free to improve gosa-modify-host 22:07 < sunweaver> will do, np. 22:07 < schweer> just commit that change22:07 < sunweaver> (you provided great work, however, I'll do a little QA over the next couple of days, if ok).22:08 < schweer> very appreciatedI'll propose a patch for this which then will require to be integrated in next Debian 11 point release.light+love Mike -- DAS-NETZWERKTEAM c\o Technik- und Ökologiezentrum Eckernförde Mike Gabriel, Marienthaler Str. 17, 24340 Eckernförde mobile: +49 (1520) 1976 148 landline: +49 (4351) 850 8940 GnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31 mail: mike.gabriel@das-netzwerkteam.de, http://das-netzwerkteam.deAttachment: pgpgm_hWArwSd.pgp
Description: Digitale PGP-Signatur
--- End Message ---
--- Begin Message ---
- To: 1002014-close@bugs.debian.org
- Subject: Bug#1002014: fixed in debian-edu-config 2.12.15
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Wed, 29 Dec 2021 17:33:29 +0000
- Message-id: <E1n2cpN-000IRn-U6@fasolo.debian.org>
- Reply-to: Holger Levsen <holger@debian.org>
Source: debian-edu-config Source-Version: 2.12.15 Done: Holger Levsen <holger@debian.org> We believe that the bug you reported is fixed in the latest version of debian-edu-config, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1002014@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Holger Levsen <holger@debian.org> (supplier of updated debian-edu-config package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Wed, 29 Dec 2021 18:15:27 +0100 Source: debian-edu-config Architecture: source Version: 2.12.15 Distribution: unstable Urgency: medium Maintainer: Debian Edu Developers <debian-edu@lists.debian.org> Changed-By: Holger Levsen <holger@debian.org> Closes: 1002014 Changes: debian-edu-config (2.12.15) unstable; urgency=medium . [ Mike Gabriel ] * share/d-e-c/tools/gosa-modify-host: Only create Kerberos host and service principals if they don't yet exist. (Closes: #1002014). * share/d-e-c/tools/copy-host-keytab: Restart nfs-common/rpc-gssd after having copied over /etc/krb5.keytab. This avoids rebooting for applying the copied over changes. * share/d-e-c/tools/gosa-create-host: Fix copy+paste flaw in comment. . [ lintian-brush ] * Add missing build dependency on dh addon. Checksums-Sha1: 1928b35bf1d4e8dec1d80a0af6e6e9149afc9d88 2026 debian-edu-config_2.12.15.dsc 6f05009d0bc49f4d116d8129d25bed0464027526 346728 debian-edu-config_2.12.15.tar.xz 1fb011efed5c41064a012c5c14bc14e1aede1d17 5302 debian-edu-config_2.12.15_source.buildinfo Checksums-Sha256: eb6318157dc08e600418f4cc7cabdf1b92c4f689bdbd540ae3e97fac70ef5d8c 2026 debian-edu-config_2.12.15.dsc dbce00830f808c4da2584e695c97e00853fa3cb3fbb836616837501b73b640f8 346728 debian-edu-config_2.12.15.tar.xz 762d9fb7b1d876f75935547ddfc4ff15c6f42029985a95c1f31adb5bf311b864 5302 debian-edu-config_2.12.15_source.buildinfo Files: 3b34e51c31ad3a736e963d63d88e0d73 2026 misc optional debian-edu-config_2.12.15.dsc 27cc2968fc504830188052e301363192 346728 misc optional debian-edu-config_2.12.15.tar.xz b0bf2504377dd4dd6a2e6140c66923ee 5302 misc optional debian-edu-config_2.12.15_source.buildinfo -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEEuL9UE3sJ01zwJv6dCRq4VgaaqhwFAmHMmG0ACgkQCRq4Vgaa qhwOfhAAkumviMwUckZZCdl/fLmsEgJrsId0yKUOAbFZFxPax0uElGNQQWMHZYtX nh2FqSwTirps2Bp3aDLcx3JzsQ2p99nMRfFmUQ9dn6ghmc0rItEgzaoDuy+tR83B 225xAoCKheIGgQSdbyYFHXb/ksq+FUHvCQBGlHNGfpKw2y9Xoo+/aRGKQKZm9sVJ 2HmQQxntxkDgr6DnxTna7i7cFLGG4CC0VzCWJB1+aO8e82YMX9fA70M7rcm3/EK7 WKZFtiwGLrE/u0ESxhC4dz3kNg/eXyc8cDEut/DYKeLnmFX9Sk+pdD1l/JT+JuII +wiHezRpL8WOzCBYSpDDR0kNoS6YlJLYTXrOe7VF7Sq7pBY8diEUaPRl8zrmLdRQ JMABJ0VGebqjLjuLHjL3PQ0TYIttR7gx9lIwS7+xGWG41Rmek1+Q9xsRPR+vMTfR dmjEM2VwAbJEsIRLnzVIbMmTDC8VKXuJKK2DVDG95KwiEvHO6bbwsZME0ce9NEPV JsEKfjEi5wCjo32ARbrbrlb4PkCxNIGdg1ANRk7kHZZBRNZQpsso1f7NUHF3Yo93 sjvt9EMzyw0NVN/mf60stOrJkEs/iQL6eLbdpjT0r/t5djYqabArIwtzzFInq7cO 1SgeWeuE2UWXwXD6iZfyo8Ht8GZX4UrlNOfQimMfTsNo8QFl1hY= =ykAG -----END PGP SIGNATURE-----
--- End Message ---